on behalf of Ivan Nečas who worked on the fix:
A critical security issue CVE-2018-14643 has been discovered
in the Remote Execution plugin (within the smart_proxy_dynflow package).
This issue allows an unauthorized remote attacker to perform arbitrary code
execution on managed hosts.
The affected version of smart_proxy_dynflow package are 0.1.8 and later
(Foreman >= 1.15). Users of Foreman Remote Execution and Foreman Ansible
are affected by this issue.
The fix for this issue has been merged and the releases
are being prepared in the following packaging PRs:
-
rpm/forman-1.18+ (scratch builds
are available here -
rpm/forman-1.15+ (no scratch
builds at this moment) - deb/forman-1.18+
- deb/forman-1.15+
After updating the packages, it’s required to run systemctl restart foreman-proxy
To mitigate the issue before updating the packages, it’s possible to
temporary disable the remote execution functionality by the following
configuration change:
sed -i 's/:enabled: .*/:enabled: false/'
/etc/foreman-proxy/settings.d/dynflow.yml
systemctl restart foreman-proxy
The package is needed to be update on all hosts that run foreman-proxy
with dynflow feature, which means usually the main foreman server, where
often the default smart proxy is running, as well as all smart proxies
with dynflow feature
We will keep this post updated with informing about the availability of the
fixes in official repositories, once we get them though the release process.
The issue has been discovered by the core development team and we are not
aware of any public disclosures of this issues up until today, with the
official CVE.
Background:
This issue has been introduced as a regression with this commit,
where adding alternative authorization mechanism for async callback from
remote hosts caused the original authorization to by bypassed.
As part of the fixing patch, we also added additional set of tests to make
sure we don’t run into this issue again.